The U.S. CISA (Cybersecurity and Infrastructure Security Agency) confirmed it is tracking malicious cyber activity targeting endpoint management systems across the nation’s organizations, following the March 11, 2026, cyberattack on medical technology giant Stryker Corp., which reportedly wiped corporate devices connected to the firm’s Microsoft environment and forced the company to restrict access to certain information systems while incident responders worked to contain the breach and restore operations. The incident, which has been linked in reporting to suspected Iran-aligned threat activity amid heightened Middle East tensions, highlights growing risks to critical healthcare and enterprise IT infrastructure.
In response, CISA is urging organizations to harden endpoint management system configurations and adopt stronger defensive measures to mitigate similar threats. The agency is also coordinating closely with federal partners, including the FBI (Federal Bureau of Investigation), to investigate the attack, identify broader threat patterns, and determine additional mitigation actions.
In its latest update, Stryker said that it was “working closely with our global manufacturing sites to manage operations and mitigate potential impacts, supported by our robust resiliency and business continuity plans. We are actively bringing our electronic ordering systems back online. In the meantime, your Stryker Sales Representatives will be working with you and your distributors directly in an effort to bring you replenishment product through manual ordering where that option exists.”
This comes as orders placed before the disruption will be reconciled as systems are restored, and electronic orders placed during the disruption will process once systems are back online, and supply is flowing normally.
“We are prioritizing restoration of systems that directly support customers, ordering and shipping,” it added. “Our core transactional systems are already on a clear path to full recovery, and we will continue to provide updates as progress is made. There is nothing more important to us than the customers and patients we serve, and we are grateful for your continued support and partnership.”
To defend against similar malicious activity that exploits legitimate endpoint management software, the CISA alert is urging organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune, noting that these principles can also be applied to other endpoint management tools.
Organizations should apply the principle of least privilege when designing administrative roles, ensuring that users are granted only the access necessary to perform their tasks. This can be enforced through role-based access control within Microsoft Intune, where permissions are limited based on the specific actions required and the users or devices those actions apply to.
CISA also recommends enforcing phishing-resistant multi-factor authentication and maintaining strong privileged access hygiene. Capabilities within Microsoft Entra ID, including conditional access, MFA, risk signals, and privileged access controls, should be used to prevent unauthorized access to sensitive administrative functions.
In addition, organizations should configure access policies that require multi-admin approval for high-impact actions. This ensures that changes involving sensitive operations, such as device wiping, application deployment, script execution, role modifications, or configuration updates, require authorization from a second administrative account before they can be executed.
Additionally, the cybersecurity agency recommends reviewing a range of resources to strengthen defenses against similar malicious cyber activity.
From Microsoft, organizations are advised to consult guidance on securing Microsoft Intune, including best practices for configuration, implementing multi-admin approval through access policies, and applying zero trust principles to enhance overall security. Further guidance is available on implementing role-based access control within Intune to ensure appropriate permission management, as well as planning and deploying Privileged Identity Management across Intune, Microsoft Entra ID, and other Microsoft platforms to better control privileged access.
CISA also points organizations to its own guidance on implementing phishing-resistant multi-factor authentication, a critical measure for preventing unauthorized access and strengthening identity security.
